Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Relax constraints on the SQL used to set up the ticket schema slightly: (1) Allow creating views whose names begin with "ticket" or "fx_". (2) Allow creating tables whose names begin with "fx_". (3) Allow data changes to tables whose names begin with "fx_". |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
93c45cd4e04a59c60dd3477d1ae8f061 |
| User & Date: | drh 2020-10-10 15:52:52 |
Context
|
2020-10-10
| ||
| 16:32 | Improved interwiki link documentation. Enhance the /intermap page so that it shows the current intermap (read-only) to non-setup users, rather than completely exluding such users. ... (check-in: baeab56e user: drh tags: trunk) | |
| 15:52 | Relax constraints on the SQL used to set up the ticket schema slightly: (1) Allow creating views whose names begin with "ticket" or "fx_". (2) Allow creating tables whose names begin with "fx_". (3) Allow data changes to tables whose names begin with "fx_". ... (check-in: 93c45cd4 user: drh tags: trunk) | |
| 12:05 | Renamed fossil.page.wikiedit-wysiwyg-legacy.js to fossil.wikiedit-wysiwyg.js so that the excessively long name doesn't cause /dir to have, at most, 2 columns. Removed some dead code and added a tiny bit of docs. Updated changelog per forum request. ... (check-in: a759842a user: stephan tags: trunk) | |
Changes
Changes to src/tkt.c.
| ︙ | ︙ | |||
371 372 373 374 375 376 377 |
Th_Store("uuid", zUuid);
zConfig = ticket_change_code();
return Th_Eval(g.interp, 0, zConfig, -1);
}
/*
** An authorizer function for the SQL used to initialize the
| | > > > > > > | > > > > > > | > > > > > > | > > | > > > | 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 |
Th_Store("uuid", zUuid);
zConfig = ticket_change_code();
return Th_Eval(g.interp, 0, zConfig, -1);
}
/*
** An authorizer function for the SQL used to initialize the
** schema for the ticketing system. Only allow
**
** CREATE TABLE
** CREATE INDEX
** CREATE VIEW
**
** And for objects in "main" or "repository" whose names
** begin with "ticket" or "fx_". Also allow
**
** INSERT
** UPDATE
** DELETE
**
** But only for tables in "main" or "repository" whose names
** begin with "ticket", "sqlite_", or "fx_".
**
** Of particular importance for security is that this routine
** disallows data changes on the "config" table, as that could
** allow a malicious server to modify settings in such a way as
** to cause a remote code execution.
*/
static int ticket_schema_auth(
void *pNErr,
int eCode,
const char *z0,
const char *z1,
const char *z2,
const char *z3
){
switch( eCode ){
case SQLITE_CREATE_VIEW:
case SQLITE_CREATE_TABLE: {
if( sqlite3_stricmp(z2,"main")!=0
&& sqlite3_stricmp(z2,"repository")!=0
){
goto ticket_schema_error;
}
if( sqlite3_strnicmp(z0,"ticket",6)!=0
&& sqlite3_strnicmp(z0,"fx_",3)!=0
){
goto ticket_schema_error;
}
break;
}
case SQLITE_CREATE_INDEX: {
if( sqlite3_stricmp(z2,"main")!=0
&& sqlite3_stricmp(z2,"repository")!=0
){
goto ticket_schema_error;
}
if( sqlite3_strnicmp(z1,"ticket",6)!=0
&& sqlite3_strnicmp(z0,"fx_",3)!=0
){
goto ticket_schema_error;
}
break;
}
case SQLITE_INSERT:
case SQLITE_UPDATE:
case SQLITE_DELETE: {
if( sqlite3_stricmp(z2,"main")!=0
&& sqlite3_stricmp(z2,"repository")!=0
){
goto ticket_schema_error;
}
if( sqlite3_strnicmp(z0,"ticket",6)!=0
&& sqlite3_strnicmp(z0,"sqlite_",7)!=0
&& sqlite3_strnicmp(z0,"fx_",3)!=0
){
goto ticket_schema_error;
}
break;
}
case SQLITE_REINDEX:
case SQLITE_TRANSACTION:
|
| ︙ | ︙ |